4. Using Encryption Wisely

4. Using Encryption Wisely4. Using Encryption Wisely

UNIVERSITYTHE

of ULSAT

Sujeet ShenoiSujeet ShenoiCenter for Information SecurityCenter for Information Security

Department of Computer ScienceDepartment of Computer Science University of Tulsa, Tulsa, OK 74104 University of Tulsa, Tulsa, OK 74104

sujeet@utulsa.edusujeet@utulsa.edu

UNIVERSITYTHE

of ULSAT

4. Using Encryption Wisely4. Using Encryption Wisely

Encryption provides a “false sense of security”

• Must be used correctly

• Practices

• Protocols

UNIVERSITYTHE

of ULSAT

Encryption SpeedEncryption Speed

Delay Time

• Stream Stream-Block Block

• DES: 64-bit blocks

• RSA: 100-200-bit blocks (limited security with short blocks)

Speed

• Symmetric algorithms are much faster (1,000 to 5,000)

• Hardware solutions are much faster

• RSA: 220K Bits/s vs 0.5K Bits/s/MIPS

• DES: 1,200,000K Bits/s vs 400K Bits/s/MIPS

UNIVERSITYTHE

of ULSAT

Block ReplayBlock Replay

Transaction Format

• Depositor Name SrcAct DestAct Amount 24 bytes 8 8 8 3 DES 1 DES 1 DES 1 DES

Original Transactions

Intruder xxx I# zz$ John Doe yyy JD# 8K$

Fabricated Transaction

Intruder yyy I# 8K$

UNIVERSITYTHE

of ULSAT

Block ChainingBlock Chaining

• Prevents “Block Replay”

• x x = 0 (1011 1011 = 0000)

• Encryption

– C1: { P1 }K

– C2: { P2 C1 }K

– Cj: { Pj Cj-1}K

• Decryption

– P1: { C1 }K

– P2: { C2 }K C1

– Pj: { Cj }K Cj-1

UNIVERSITYTHE

of ULSAT

Initial Chaining ValueInitial Chaining Value

• Block Chaining conceals identical blocks

• Only if each block is preceded by something unique

• Suppose messages always begin with: “US Army HQ”

• Encryption

– C1: { IV }K (IV: Random Initial Vector)

– C2: { P1 C1}K

– Cj: { Pj-1 Cj-1}K

• Decryption

– P0: { C1 }K

– Pj: { Cj+1 }K Cj

UNIVERSITYTHE

of ULSAT

One Way EncryptionOne Way Encryption

Use special functions

• f(x) = x3 x = (f(x))1/3 (difficult to compute)

• f(x) = x2 x = (f(x))1/2 (no unique inverse, e.g., for f(x) = 4)

• System stores f(pwd)

• User enters string

• System computes f(string) and compares with f(pwd)

• Internet Worm (Nov. 2, 1988)

UNIVERSITYTHE

of ULSAT

Cryptographic SealingCryptographic Sealing

Integrity (as opposed to Secrecy)

• Store <file> and SHA(<file>)

• A cryptographic checksum could be the last block of a chained DES encryption

UNIVERSITYTHE

of ULSAT

Authentication and Time StampsAuthentication and Time Stamps

Authentication

• Biometrics

Time Stamps

• Prevent replays

• Chronology

• Sender’s and receiver’s time stamps must match

UNIVERSITYTHE

of ULSAT

Cipher Block Chain (CBC)Cipher Block Chain (CBC)

• Prevents block replay

• Self-healing (Error in block Cj affects Bj and Bj+1)

• Encryption

– C1: { B1 }K (Usually B1 = Initial Vector)

– C2: { B2 C1 }K

– Cj: { Bj Cj-1}K

• Decryption

– Bj: { Cj }K Cj-1

UNIVERSITYTHE

of ULSAT

Cipher Feedback (CFB)Cipher Feedback (CFB)

• Block nature of DES is inconvenient

– Partial final block must be padded (size of ciphertext > size of plaintext)

– Encryption cannot begin until entire 64-bit block is input (secure networks: every character must be encrypted)

• CFB: Block Stream

– Encryption error only affects the next 8 characters

UNIVERSITYTHE

of ULSAT

Double EncryptionDouble Encryption

DES is “weak”

Can we use two 56-bit DES keys back to back?

• { { Message }K1 }K2

• 56-bit key 256 possibilities

• Two 56-bit keys 2112 possibilities?

• No!

• 257 possibilities (Merkle, 1981)

UNIVERSITYTHE

of ULSAT

Triple DESTriple DES

Uses two 56-bit DES keys; Same hardware/software

Encryption

1. C1 = DESEncrypt(P, K1)

2. C2 = DESDecrypt(C1, K2)

3. C3 = DESEncrypt(C2, K1)

Decryption

1. D2 = DESDecrypt(C3, K1)

2. D1 = DESEncrypt(D2, K2)

3. P = DESDecrypt(D1, K1)

5. Cryptographic Protocols5. Cryptographic Protocols

UNIVERSITYTHE

of ULSAT

Sujeet ShenoiSujeet ShenoiCenter for Information SecurityCenter for Information Security

Department of Computer ScienceDepartment of Computer Science University of Tulsa, Tulsa, OK 74104 University of Tulsa, Tulsa, OK 74104

sujeet@utulsa.edusujeet@utulsa.edu

UNIVERSITYTHE

of ULSAT

5. Cryptographic Protocols5. Cryptographic Protocols

Cryptographic Protocol

• Orderly sequence of steps to achieve certain security properties

• Established in advance

• Mutually subscribed

• Unambiguous

• Complete

UNIVERSITYTHE

of ULSAT

Kinds of ProtocolsKinds of Protocols

Arbitrated Protocols

• Trusted third party participates in each transaction

• Expensive, slow, vulnerable

Adjudicated Protocols

• Third party judges fairness after the fact

• Address disadvantages of arbitrated protocols

• Detect failure only after the fact

Self-Enforcing Protocols

• Guarantee fairness; cheating is immediately obvious

• May not exist for every situation

UNIVERSITYTHE

of ULSAT

Applications of ProtocolsApplications of Protocols

• Key Distribution

• Certificates

• Digital Signatures

• Clipper Key Exchange

• Mental Poker

• Voting by Computer

• Oblivious Transfer

• Contract Signing

• Certified Mail

UNIVERSITYTHE

of ULSAT

Key Distribution ProtocolsKey Distribution Protocols

1. Symmetric Key Exchange (without Server)

2. Symmetric Key Exchange (with Server)

3. Asymmetric Key Exchange (without Server)

4. Asymmetric Key Exchange (with Server)

UNIVERSITYTHE

of ULSAT

Sym. Key Exchange (No Server)Sym. Key Exchange (No Server)

Requirements

• A & B share KM (Master Key)

Protocol

1. A: Generates session key: KS

2. A B: { KS }KM

UNIVERSITYTHE

of ULSAT

Sym. Key Exchange (Server)Sym. Key Exchange (Server)

Needham-Schroeder Protocol

1. A S : A B IA (IA: Unique session ID)

2. S A : { IA, B, KAB, { KAB, A }KB }KA

(new KAB)

3. A B : { KAB, A}KB

UNIVERSITYTHE

of ULSAT

Asym. Key Exchange (No Server)Asym. Key Exchange (No Server)

Important Point

• Asymmetric key encryption is very expensive

• Never encrypt message; transmit encrypted sym. key

Protocol

1. A B: { { KAB }KApriv }KB

pub

2a. B A: { n }KAB (n: Random number)

2b. A B: { n + 1 }KAB

UNIVERSITYTHE

of ULSAT

Asym. Key Exchange (Server)Asym. Key Exchange (Server)

Protocol

1. A S: A B

2. S A: { KBpub, B }KS

priv

3. A B: { A, IA }KBpub (IA: message reference)

4. B S: B A

5. S B: { KApub, A }KS

priv

6. B A: { IA, IB }KApub (IB: message reference)

7. A B: { KAB, IB }KBpub (KAB : message)

UNIVERSITYTHE

of ULSAT

CertificatesCertificates

Binding an Individual’s Identity and Public Key

• A: President and CEO

• B, C: Vice Presidents

• C supervises D and E

• B’s Certificate: { IDB, PosB, KBpub, H(.) }KA

priv

• C’s Certificate: { IDC, PosC, KCpub, H(.) }KA

priv

• D’s Certificate: { IDD, PosD, KDpub, H(.) }KC

priv C’s Certificate

• Always need a top-level authority

UNIVERSITYTHE

of ULSAT

Digital Signature ProtocolsDigital Signature Protocols

Goals

• Non Forgeable [M, sig(M, P)]

• Authentic

• Non Alterable; Non Reusable

• Non Repudiation

• Symmetric Key Protocol (Arbiter (A) needed)

• Cryptographic Sealing (Arbiter (A) needed)

• Asymmetric Key Protocol (Self-Enforcing)

UNIVERSITYTHE

of ULSAT

Symmetric Key (Digital Signature)Symmetric Key (Digital Signature)

Symmetric Key Protocol

(Non Forgeability, Authenticity, Non Repudiation)

• S A: { M }KS

• A R: { M, S, { M }KS

}KR

• R: Unlocks with KR

Saves M and { M }KS

UNIVERSITYTHE

of ULSAT

Cryptographic Sealing (Dig. Sig.)Cryptographic Sealing (Dig. Sig.)

Cryptographic Sealing Function

• f(M) unique value

• S and R register fS and fR with Arbiter A

Protocol (No Secrecy)

1. S A: M fS(M)

2. A: Recomputes fS(M) Compares with fS(M) received from S

3. A R: M S fS(M) fR(M, S)

UNIVERSITYTHE

of ULSAT

Asymmetric Key (Digital Signature)Asymmetric Key (Digital Signature)

Protocol 1 (Non Forgeability, Authenticity, Non Repud.)

• S R: { M }KS

priv

• R: { { M }KS

priv }KS

pub M (saves { M }KS

priv)

Protocol 2 (Double Encryption: Privacy)

• S R: { { M }KS

priv }KRpub

• R: { { { { M }KS

priv }KR

pub }KSpub

}KR

priv M

UNIVERSITYTHE

of ULSAT

Clipper Key Exchange AlgorithmClipper Key Exchange Algorithm

Seven Step Protocol

• Three steps for key exchange

• Four steps for mutual authentication

• S & R share secret key KP, symmetric algorithm and asymmetric algorithm

UNIVERSITYTHE

of ULSAT

Clipper Key Exchange (contd.)Clipper Key Exchange (contd.)

Step 1

S R: { KSpub }KP

Step 2

R: Uses KP to obtain KSpub

R: Chooses random session key Kk

R S: { { Kk }KP

}KSpub

Step 3

S : Uses KSpriv and KP to obtain Kk

UNIVERSITYTHE

of ULSAT

Clipper Authentication (contd.)Clipper Authentication (contd.)

Step 4

S R: { M }Kk M: Random string

Step 5

R: Uses Kk to obtain M

R S: { M, N }Kk N: Random string

Step 6

S : Checks M

Step 7

R : Checks N

UNIVERSITYTHE

of ULSAT

Mental Poker ProtocolMental Poker Protocol

Symmetric Key Implementation

• A B: { m1 }KA … { m10 }KA

• B: Locks 5 messages: { { mj }KA }KB

…

• B A: { mi }KA … & { { mj }KA

}KB …

• A: Unlocks all 10 messages with KA

Keeps 5 messages: { { mi }KA }KA

… = mi …

• A B: { { { mj }KA }KB

}KA … = { mj }KB

…

• B: Unlocks all 5 messages with KB

Keeps 5 messages: { { mj }KB }KB

… = mj …

UNIVERSITYTHE

of ULSAT

Mental Poker Protocol (contd.)Mental Poker Protocol (contd.)

Asymmetric Key Implementation

• A B: { m1 }KApub … { m10 }KA

pub

• B: Locks 5 messages: { { mj }KApub }KB

pub …

• B A: { mi }KApub … & { { mj }KA

pub }KBpub

…

• A: Unlocks all 10 messages with KApriv

Keeps 5 msgs: { { mi }KApub }KA

priv …

= mi …

• A B: { { { mj }KApub }KB

pub }KA

priv … = { mj }KBpub …

• B: Unlocks all 5 messages with KBpriv

Keeps 5 msgs: { { mj }KBpub }KB

priv … = mj …

UNIVERSITYTHE

of ULSAT

Voting by Computer ProtocolVoting by Computer Protocol

2*n Link Chain (n: number of voters)

• Results at each link can be made public without destroying anonymity

• During the last n links, anyone can go back to check, but only one can go forward

• Assume three voters (J, K, L)

• Two pairs of public keys

– (KJpriv, KJ

pub ); (KKpriv, KK

pub ); (KLpriv, KL

pub )

– (RJpriv, RJ

pub ); (RKpriv, RK

pub ); (RLpriv, RL

pub )

– Ripub embeds random string; allows voter i to check vote

UNIVERSITYTHE

of ULSAT

Voting by Computer (contd.)Voting by Computer (contd.)

Step 0

• Each voter encrypts vote and sends it to J

– J has: RJpub ° RK

pub ° RLpub ° KJ

pub ° KKpub ° KL

pub (vi)

Steps 1-3

• J (K, L) verifies vote is in pool with RJpriv (RK

priv , RLpriv )

• Applies RJpriv (RK

priv , RLpriv ) to each vote

• Sends votes to K (L, J)

– J has: KJpub ° KK

pub ° KLpub (vi)

UNIVERSITYTHE

of ULSAT

Voting by Computer (contd.)Voting by Computer (contd.)

Steps 4-6

• J (K, L) applies KJpriv (KK

priv , KLpriv )

• Applies KJpriv (KK

priv , KLpriv ) to each vote

• Signs all votes

• Sends votes to K (L)

– L has all votes: vi

– L counts votes

– L posts results

UNIVERSITYTHE

of ULSAT

Oblivious Transfer ProtocolOblivious Transfer Protocol

Eight Step Protocol (Flipping a coin at a distance)

1. A: Picks two asymmetric key pairs: (KIpriv, KI

pub ) (KJpriv, KJ

pub )

2. B: Picks symmetric key: KB

3. A B: KIpub KJ

pub 4. B: Picks one key at random: KH

pub

B A: { KB }KHpub

5. A: Picks I or J at random (say: J)

Computes: KA = { { KB }KHpub }KJ

priv (KA = KB if H = J)

6. A B: { A loses }KA J

7. B: M = { { A loses }KA }KB

B A: M H (B loses if H J)

8. B A: KIpriv KJ

priv (for verification)

UNIVERSITYTHE

of ULSAT

Contract Signing ProtocolContract Signing Protocol

1. A: Selects 2n symmetric keys: C1 .. C2n

Arranges them in pairs: (Ci, Cn+i) i = 1 .. n

2. A B: i = { S }Ci i = 1 .. 2n (S = Std Msg; i: S-puzzle)

3. A: Agrees to contract if B can produce a pair (Ci, Cn+i) for any i

(S-puzzle solution)

4. B: Repeats Steps 1-3: keys: Di and S-puzzles: i

5. A B: Exchange (Ci, Cn+i) … by Oblivious Transfer Protocol

B A: Exchange (Di, Dn+i) … by Oblivious Transfer Protocol

6. For each bit j:

A B: jth bit of Ci i = 1 .. 2n

B A: jth bit of Di i = 1 .. 2n

UNIVERSITYTHE

of ULSAT

Certified Mail ProtocolCertified Mail Protocol

1. A: Selects n + 1 symmetric keys: g0 .. gn

Computes: gn+i = g0 gi i = 1 .. n

2. A B: G = { M }g0 (g0 = gn+i gi for all i)

3. A B: Gi = { SA }gi i = 1 .. 2n (SA = Std Msg)

4. B: Selects 2n symmetric keys: h1 .. h2n

B A: Hi = { SB }hi i = 1 .. 2n (SB = Std Msg)

5. B: Agrees to acknowledge receipt of plaintext of G if A can produce any one of (hi, hn+i) and all gj (j = 1 .. 2n)

6. A B: Exchange (gi, gn+i) … by Oblivious Transfer Protocol

B A: Exchange (hi, hn+i) … by Oblivious Transfer Protocol

7. For each bit j:

A B: jth bit of gi i = 1 .. 2n

B A: jth bit of hi i = 1 .. 2n